How NOT To Be The Next Sony: Defending Against Destructive Attacks

When an attacker wants nothing more than to bring ruin upon your business, you can't treat them like just any other criminal.

You know to include the threat of financially motivated cybercriminals in your risk profile. Done. But what about the ones who don't want money? The ones who just want to hurt you. How do you defend against and recover from attackers whose sole goal is to destroy?

Destructive attacks -- like the one at Sony Pictures Entertainment -- are personal. They're done by someone with a grudge: a disgruntled insider, an outraged hacktivist, a nation that sees the target as an enemy of the state.

Destructive attacks are also, in many ways, easier to do.

"If your only goal is to do damage," says Jonathan Sander, strategy and research officer for Stealthbits Technologies, "you don't need a lot of access."

As some security experts have said, the Sony attackers could have compromised the company with just a humble phishing message, then planted the wiper malware and let it take it from there. Malware is quite good at proliferating itself, so the hackers could simply sit back and watch. Watch as the malware deleted all the company's data and turned its hardware into expensive paperweights.

The Sony hackers opted to first burrow deeper into the network to access and exflitrate huge amounts of data -- intellectual property, regulated personally identifiable information, incriminating emails, and the details of the company's entire IT infrastructure. Instead of selling it, the attackers simply uploaded the whole lot to Pastebin where anyone could see it, damaging the company in another way.

Why and who? That's still up for debate. In the case of Sony, the US government's official word is that the attack was carried out by North Korea's cyberwar unit, in retaliation for Sony's production of The Interview, a comedy about assassinating North Korean leader Kim Jong-Un. Yesterday, FBI Director James Comey provided a bit of evidence supporting that assertion and Director of National Intelligence James Clapper went so far as to name a specific North Korean general.

Others say that even if it was North Koreans, they might have worked with an insider. Last week, researchers at Norse Corp. asserted that a disgruntled insider was definitely involved. As Dark Reading's Kelly Jackson Higgins reported:

Interestingly, however, the FBI's statement specifically calls out North Korea for "theft and destruction" of data. Missing from that attribution is the initial intrusion into Sony's network and servers -- the phase researchers from Norse think may have occurred with the assistance of a former Sony employee with an axe to grind.

The example of a nation-state administering digital punishment for a Seth Rogan / James Franco movie is not likely to repeat itself -- so rather than trying to defend against such an attack, an organization is better served planning how to respond to a mega-destructive incident.

The threat of malicious insiders looking to stick it to their current or former employers, on the other hand, is all too common. Security experts say there are plenty of ways organizations can protect themselves against that.

The Malicious IT Insider

Businesses now have all sorts of tech rigged to detect intrusions and strange behavior, and issue alerts when something is awry. But what if the person receiving those security alerts is the very person causing them? The disgruntled IT security staffer is perhaps the worst threat of all.

Sander says that organizations may contain a threat by managing user access privileges and "box someone in so that they can only do so much damage. Organizations are pretty good at doing that at the application level," but not at the data level, he says -- unstructured data in particular.

To do their jobs, IT staff do need administrator access to the IT systems / applications, but don't need to access the data, says Sander. "There's no reason an Exchange admin needs to read my email," he says. "And why should IT ever touch HR files?"

Companies think about prohibiting access to systems, but attackers don't want systems, they want data. And attackers aren't stopped by your hardened tech, because they've got another way in.

"Hackers are usually focused on the user, not the system," says Gaby Friedlander, co-founder and CTO of ObserveIT, "but organizations are usually focused on the system, not the user. So hackers can go in through the front door."

Malicious IT staff have it even easier, because they're already inside. That's why Friedlander says that organizations need to protect themselves by constructing user profiles, and watching for behaviors that are suspicious for that user; not just relying on a list of static rules and red flags.

"The IT guys know those rules," says Friedlander. "They can easily bypass them."

The point, says Sander, is not to mistrust your employees. The point is to entrust them with all the access privileges they need to do their job, and no more.

John Gunn, vice-president of corporate communications at Vasco, adds that measures like behavioral analysis are important, because a happy insider today may not be happy tomorrow. "Even the right person can become the wrong person," he says.

For all of these reasons, appropriate separation of duties is essential. An insider with all the keys to the castle is an enormous threat. An insider who only has a key to the castle datacenter is less of a threat.

Replication of duties is also important. If there's only one guy receiving security alerts, and he goes rogue, nobody finds out he's up to no good. If there are two or three people receiving those alerts, the chances of detection are much greater. Sander points out that a smaller company may not have the manpower to do that, but they should if they have the resources to do it.

Compounding the problem, says Friedlander, is that incident alerts are not always provided with enough context or forensic evidence, so the department "deals with it as an IT problem, not a security problem." The helpdesk may "solve" suspicious activity by simply resetting a password, without investigating why that password needs to be changed.

Mind you, none of these measures necessarily prevent the destruction of hardware -- deploying wiper malware, shooting servers with a machine gun, or throwing all your back-ups onto a bonfire. However, they do make it more difficult for a malicious insider to damage a company by deleting or disclosing essential corporate data.

Respond and Rebuild

Incident response after a destructive cyber attack -- particularly one at the scale of the Sony super-mega-ultra-destructive one -- may need to be approached more like a physical disaster (flood, explosion, etc.) than a digital one.

When Hurricane Sandy (AKA Superstorm Sandy) hit New York City and New Jersey, buildings were destroyed, lives were lost, roads were closed, and power and telecom lines were down for weeks. During that period, government workers in New Jersey were communicating through an emergency radio system. They were sitting in their cars, updating emergency info on government websites via their personal mobile phones, plugged into car chargers.

Replication of duties were important too, so that essential functions could be still be conducted, even if the usual point person was without power, or in a hospital or evacuation center.

Although the Sony incident was not a disaster of that caliber, it did present some of the similar challenges. It left the company without client machines, email, VoIP, or any of the other usual communications technology.

Further, when a cyber incident occurs, fingers may be pointed, eyebrows raised, and questions asked about whether a malicious insider was involved. Was it a disgruntled ex-worker who has left more timebombs? Is that person still within the company?

That's a scary proposition. Sony really needs to rebuild from scratch, since every detail of their IT infrastructure was publicly exposed. If one of the culprits could still be working within the company, do you want to involve them in the rebuild process? Or should that all be outsourced to a third-party without a dog in the fight?

"Frankly the only difference is a matter of culpability," says Sander. If there's another devastating destructive attack, do you sue the service provider or chop off heads inside the company? "You can make a case for either."

As for the post-incident public relations, "You can see the pattern," says Gunn. "'We're investigating a possible breach,' which means they know they've been hit." Then they confirm they were compromised, in a manner that was completely unprecedented. "'It wasn't our fault! It was like a meteor hitting!'"

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Well put together article Sara and I think you're spot on with the view that data breaches (once they have happened) need to take methodologies from physical disaster response policies. Equally, I think the world of prevention needs to move it's focus from building walls and start looking way more at identity and access management. As long as we have been building walls, we have been building bigger catapults, longer ladders, better mining tools, smaller infiltration components etc. it's a losing proposition to continue on this road for tech, bad guys get paid too much to make the breach happen.

A few years ago Symantec started declaring the bad guys had already won and wanted to build out identity profiling for potential threat actors on your environment. There are a lot of good Enterprise Access and Governance organisations out there with solid tools to eliminate or mitigate risk in this arena, IAM should be high on the C-suite agenda and the recent pushes to standardisation and definition of Cybersecurity policy based on executive orders only serve to underline this fact.

Your right. The Insider Threat is not just about corporate data or financial reward. Today's world offers many different opportunties for the insider threat. Critical services that society relies on are dependent on computers and seen as potentially vulnerable to security attacks. To avoid being the 'next' Sony Insider Threat story, insider threats need to continue to move in priority and become an executive and board-level concern.

The good news is that there is a lot that organizations can do now. Building an Insider Threat Program helps move an organization from paranoia to protection. This means involving a sophisticated tool set, staff and manager's awareness and an efficient process.

Your right. The Insider Threat is not just about corporate data or financial reward. Today's world offers many different opportunties for the insider threat. Critical services that society relies on are dependent on computers and seen as potentially vulnerable to security attacks. To avoid being the 'next' Sony Insider Threat story, insider threats need to continue to move in priority and become an executive and board-level concern.

The good news is that there is a lot that organizations can do now. Building an Insider Threat Program helps move an organization from paranoia to protection. This means involving a sophisticated tool set, staff and manager's awareness and an efficient process.

Recent pieces written by Brian Krebs reinforces how opportunitstic groups like LizardSquad are using botnets to infultrate not only corporate network devices but home devices as well. Homeusers need to practice a little more discipline with passwords and the like, using the default is not a viable option.

@Kelly Yeah, I mean I'm sympathetic to Sony's disaster recovery plight, because I'm sure they didn't think that an information security breach could cause that much damage. It definitely makes the point that the same people who build DR plans for natural disasters need to be working on DR plans for digital disasters.

I am a strong advocate for not allowing a single point of failure. Some corporations may find an excessive overlapping of responsibilities redundant. The contrary not only represents a security hole but also a valid business risk as your employees do have the right to take off, leave the corporation, etc. There are many issues involved with a single point of failure. Enterprise needs to realize people are not as predicatable as computation. For that reason and a few others such as a knowledge challenge there needs to be responsibilities that overlap.

Speaking about Incident Response plans, look no further than our latest flash poll (click or mosey over the right side, column and scroll down) to see that IR is not exactly a pressing priority within the Dark Reading community. 40 percent of respondents say they don't even have a plan!

The Sony breach was a painful example of how crucial it is for an incident response plan to be part and parcel of a security strategy. Sony's Lynton reportedly (according to the NYT) told his staff in the aftermath: "There is no playbook for us to turn to." But that's only because they didn't have a full-blown IR plan in place. If so, Sony might have had a better and quicker response, with less carnage.

The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.